Talk:LOGS ABOUT HOW WE FOUND LINODE SERVER OF ONION 3
So it looks like this page could do with some first hand clarification. How the server-status page was found in verbose terms For most of the puzzles I took a sideways approach and tried discovering information about cicada using means they probably did not intend. Simply put I tried to "hack" them at most stages throughout. In this case, through no prompt of any clue, I decided to run a DirBuster scan on the onion server. DirBuster software that attemps to discover files and directories on a web server by trying different combinations of a large list of common file and folder names. This approach was unsucessful. I also ran a simple vulnerability scan (Nessus, by Tenable) meant for indentifying possible configuration errors and security vulnerabilities in a webserver. I was looking for a way to break into the onion server (Ideally through some unpatched public RCE vuln) to gather more information. The scan returned a warning that the server status page was left open. This is a default setting in most versions of the apache webserver and it is advised that it is turned off in production. Cicada probably left this configuration option enabled. How the linode URL/account/IP was found The server-status page lists some server status information, such as resource usage and version numbers, but it also has a log of recent web requests. Most of the requests were logged as coming from localhost. Requests to the TOR hidden service show up as coming from localhost for security and practicallity reasons. Some of the requests, however, did not come from localhost and those requests had their hostname set to the linode address. This means that someone was using the linode domain to make a requests to the server hosting apache. It was likely a linode status probe as there is no other real reason for someone to use the linode supplied domain for the server. Was this cicada? Yes. While crashdemons found evidence that this linode host is a proxy to the onion service and potentially not the only server involved in the hosting of the onion, the owner of this server must have atleast collaberated with cicada in order to have the server operate in this way because this server was receiving accurate report of all traffic send to the onion url. This means this must have been the server that was directly hosting the hidden service relating to that onion address, or it was being purposely relayed to by that server. This server was either the first node receiving traffic from tor and was probably acting as some sort of load balancer, or it was one server in a sequence of daisy chained hidden services to maintain kind of retarded levels of anonymity. The second option is way less likely in my opinion. What was all that crazy garbled text in the server status page? These messages were not sent by cicada, and there is no hidden message within them other than this: Shortly after I discovered that my requests would show up on the server status page that everyone was watching with eagle eyes, I immidiately created a python script to spam the server with requests. Each request was to a different file on the server. Each of those file names was a single line of ASCII art of shek's face. My intention was to plaster a large image of shrek on the server-status page. This attempt failed as there were too many requests coming through and the requests ended up being in the right order. For whatever reason I decided to take the logs of of the server status page here: https://pastebin.com/je6Yudvh - And restore them to their intended glory li676-224.members.linode.com HEAD _____ li676-224.members.linode.com HEAD ,-' `._ li676-224.members.linode.com HEAD ,' `. ,-. li676-224.members.linode.com HEAD ,' \ ),.\ li676-224.members.linode.com HEAD ,. / \ /( \; li676-224.members.linode.com HEAD /'\\ ,o. ,ooooo. \ ,' `-') li676-224.members.linode.com HEAD )) )`. d8P"Y8. ,8P"""""Y8. `' .--"' li676-224.members.linode.com HEAD (`-' `Y' `Y8 dP `' / li676-224.members.linode.com HEAD `----.( __ ` ,' ,---. ( li676-224.members.linode.com HEAD ),--.`. ( ;,---. ) li676-224.members.linode.com HEAD / \O_,' ) \ \O_,' | li676-224.members.linode.com HEAD ; `-- ,' `---' | li676-224.members.linode.com HEAD | -' `. | li676-224.members.linode.com HEAD _; , ) : li676-224.members.linode.com HEAD _.'| `.:._ ,.::" `.. | li676-224.members.linode.com HEAD --' | .' """ ` |`. li676-224.members.linode.com HEAD | :; : : _. |`.`.-'--. li676-224.members.linode.com HEAD | ' . : :__.,'|/ | \ li676-224.members.linode.com HEAD ` \--.__.-'|_|_|-/ / ) li676-224.members.linode.com HEAD \ \_ `--^"__,' , | li676-224.members.linode.com HEAD -hrr- ; ` `--^---' ,' | li676-224.members.linode.com HEAD \ ` / / li676-224.members.linode.com HEAD \ ` _ _ / li676-224.members.linode.com HEAD \ ` / li676-224.members.linode.com HEAD \ ' ,' li676-224.members.linode.com HEAD `. , _,' li676-224.members.linode.com HEAD `-.___.---' The BOIC server? Why was there a BOIC server with Lurker69's and my name on it? I set up the server as a test for the RSA cracking of whenever that was. I inteded to have a few people try it out so I hosted it on a webserver at my home IP. When my IP appeared on the server-status page, people visited it and concluded that it was related. The page had Lurker's name on it as an inside joke. It was just a test to see if BOIC was a viable tool to solve the problem (It was). That's it I realise that nobody probably cares about this but this is basically my only valuable contribution to this puzzle and it didn't seem right that the wiki page should be totally in the dark about how we found out about cicada's biggest slip-up. If you have any further questions about how the link was made between the onion and the linode URL, HMU on IRC @Taiiwo on freenode. Please someone edit this and add it to this page :3